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PyRDP RDP Proxy & Interception Tool 


Olivier Bilodeau (@obilodeau) / Alexandre Beaulieu (@alxbl_sec) 
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About Us 


Olivier Bilodeau 


Cybersecurity Research Lead atGoSecure 
e Jack of all trades, master of none 


e CofounderMontréHack(handson security 
workshops) 


e NorthSecVP Training / Hacker Jeopardy 


Alexandre Beaulieu 


Security Researcher at GoSecure 

e Software Developer 

e FormerPentester 

e Current PyRDPMaintainer / Developer 
e Addicted to Running and Cycling 
Twitter Web GitHub 


Contents 


e RDPat a Glance 

e PyRDPCore Features 

e PyRDPas a Honeypot 

e PyRDPas an Attack Tool 
e Resources 
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RDP-A Layered Protocol 
From TCP to Clipboard Management and I/O Channels 


Security 


Security Clipboard 


Segmentation 


Fast-path 


RDP- Virtual Channels 


Multiplexing data and extensions within a single connection 


I/O Channel 


Device 
Redirection 


Clipboard 


= Extra RDP features and 
extensions are implemented 
in virtual channels 


= Server sends a list of 
available channels during 
connection phase 


Connection 


= Client chooses which 
channels to join 


c] 


RDP- The Connection Sequence 
e 


X.224 Connection Request PDU 


Connection Initiation 
X.224 Connection Confirm PDU 


cs Connect Initial PDU with GCC Conference Create Request >: 
Basic Settings Exchange 


acs Connect Response PDU with GCC Conference Create Response— O S n | n fi d 
ee Erect Domain Request 2 ( ve E) | | | | D | le 


mcs Attach User Request POU» 
+s Attach User Confirm Poy Channel Connection 
MCS Channel Join Request PDU(s) >: 
ee Channel Join Confirm PU) 
Security Exchange pou} RDP Security Commencement 
a Info a } Secure Settings Exchange 
Auto: Detect Request PDUs) 


1. Connection Negotiation 

un. 2. Authentication 
— ra, = 3. Channel Enrollment 
4 
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Demand Active PDU mé 
¿Monitor Layout Poy _— Capabilities Exchange 
_ Á _ Active Poy um: 


Initiate Multitransport Response pou» Bootstrapping C a 0 a b | | | ty Exc h a n g e 
Connection Established 


i—synchonie DU pr 
Control POU - COOP # 
q ono PDU — Request Conto —————— 
pa gt Key List A 
c List pou— Connection Finalization 
aooaa mia 
aeee onto PDU - Cooperate 
Laion PDU - Granted Control : 
ot Map o | 
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Core Features 


Keylogging 

All keyboard and 
mouse interactions 
are logged and saved 
in the PyRDPsession 
file. 


Keystrokes can be 
retrieved without 
video playback with 


pyrdp-player.py \ 
--headless 


Screen Recording 


PyRDPrecords the 
video output from the 
server from the 
moment the 
connection is 
established 


Recorded sessions 
can be replayed on 
demand or converted 
to MP4 


Credential Capture 


Credentials are 
dumped to the 
terminal and log files 
when stored in the 
connection request 


Keyboard heuristics to 
detect them in other 
cases 
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RDP Honeypot Overview 


Scanners 
Automated Exploit¢ 
Malicious Agents 


Public Facing 
PyRDPVM 
(Linux) 


Cloud Provider 


Internal 
Honeypot VM 
(Windows) 


RDP Honeypot- Credential Stuffing 


Force valid server credentials regardless of what the client requests 


Username:nobody Username:admin 
Password:badpass Password:secret1 23! 


Client 


RDP Honeypot-File Carving 


Transferred files are intercepted and stored to disk 


Transfer:ransomware.exe Transfer:ransomware.exe 
Client PyRDP 


y 


Save to disk: 
ransomeware.exe 
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RDP Attacks — Session Hijacking 


Taking over an interception RDP connection with a single button 


Client Input 


PyRDP Server 
PyRDPinput 


Client Input 


Session Hijacked 


RDP Attacks — Transparent Proxying C] 


Transparently intercept subnets at scale with ARP spoofing 


No ARP Spoofing / TPROXY 


ka Clients must directly connect to PyRDP 


Gateway S 


ARP Spoofing + TPROXY 


Clients are intercepted and redirected to 
their intended server* 


“Clients will fail to connect if the intended server enforces NLA or requifesedSSP 


RDP Attacks — Command Injection 


Automatically run arbitrary code on any intercepted connection 


Client Input Client Input 
Automated Session Hijack 
PyRDPinjects Payload 
Client PyRDP [| Server 
Session Restored 
Client Input Client Input 
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Learn More About PyRDP 


Try it out, contribute, give us your feedback! 


Source Code / Documentation Past Presentations & Blogs 


¢ https://github.com/GoSecure/pyrdp e Introduction Blog Post 
e PyRDPTransparent Proxying Guide e NorthSec 2019 Talk 
e BlackHatArsenal 2019 
+ RDP Connection Sequence e Blog: PyRDPon Autopilot 
e RDP Basic Protocol Specification e DerbyCon2019 (Video) 


Contact us on Twitter 
@obilodeau 
@alxbl_sec 


